Re: MSIEv6 % encoding causes a problem again

[Dave Ahmad <da () securityfocus com>]

That is correct.  The flaw appears to be in the extraction
of the domain from the URI string and it can be exploited to fool the SOP
check.  The MSIE Zone checks stop attempts to access local file content
and can't be fooled because there is no domain comparison.

The other vulnerability was that security checks simply didn't happen in
the first place and any window could access the properties of a child,
regardless of Zone or domain.  This one is similar in effect, but
slightly less serious.

David Ahmad
Symantec
http://www.symantec.com/

On Wed, 4 Sep 2002, jelmer wrote:

> on the border of stating the obvious %5c (backslash) will also work
>
> Aside from that point, you mention the pull's bug as an example of the
> consequences however this one would appear to be slightly less serious as
> the file protocol doesn't allow authentication of the sort
>
> file://jelmer:password@c://test.txt
>
> thus local files can not be read, you can't execute programs using the
> object tag etc
>
> It is pretty serious though, what remains is universal cross site scripting
> witch implies you can read the cookies of any domain or can make it look as
> if you are browsing a trusted site however the content is under your
> control. Thus you can create fake login screens etc without raising
> suspicion
>
> --
>   jelmer